aws-sdk-core 3.209.1 → 3.214.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (44) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +35 -0
  3. data/VERSION +1 -1
  4. data/lib/aws-defaults/default_configuration.rb +1 -2
  5. data/lib/aws-sdk-core/cbor.rb +3 -56
  6. data/lib/aws-sdk-core/client_stubs.rb +7 -7
  7. data/lib/aws-sdk-core/endpoints/matchers.rb +1 -8
  8. data/lib/aws-sdk-core/json/error_handler.rb +2 -1
  9. data/lib/aws-sdk-core/json/handler.rb +1 -0
  10. data/lib/aws-sdk-core/plugins/regional_endpoint.rb +44 -25
  11. data/lib/aws-sdk-core/rest/request/headers.rb +2 -2
  12. data/lib/aws-sdk-core/rpc_v2/builder.rb +1 -1
  13. data/lib/aws-sdk-core/{cbor → rpc_v2}/cbor_engine.rb +4 -5
  14. data/lib/aws-sdk-core/rpc_v2/content_type_handler.rb +3 -1
  15. data/lib/aws-sdk-core/rpc_v2/error_handler.rb +3 -2
  16. data/lib/aws-sdk-core/rpc_v2/handler.rb +2 -1
  17. data/lib/aws-sdk-core/rpc_v2/parser.rb +1 -1
  18. data/lib/aws-sdk-core/rpc_v2.rb +65 -2
  19. data/lib/aws-sdk-core/stubbing/protocols/ec2.rb +12 -11
  20. data/lib/aws-sdk-core/stubbing/protocols/json.rb +11 -10
  21. data/lib/aws-sdk-core/stubbing/protocols/query.rb +7 -6
  22. data/lib/aws-sdk-core/stubbing/protocols/rest.rb +2 -1
  23. data/lib/aws-sdk-core/stubbing/protocols/rest_json.rb +9 -8
  24. data/lib/aws-sdk-core/stubbing/protocols/rest_xml.rb +6 -5
  25. data/lib/aws-sdk-core/stubbing/protocols/rpc_v2.rb +13 -15
  26. data/lib/aws-sdk-core/stubbing.rb +2 -2
  27. data/lib/aws-sdk-sso/client.rb +1 -1
  28. data/lib/aws-sdk-sso/endpoint_parameters.rb +9 -6
  29. data/lib/aws-sdk-sso/endpoints.rb +2 -42
  30. data/lib/aws-sdk-sso/plugins/endpoints.rb +1 -14
  31. data/lib/aws-sdk-sso.rb +1 -1
  32. data/lib/aws-sdk-ssooidc/client.rb +1 -1
  33. data/lib/aws-sdk-ssooidc/endpoint_parameters.rb +9 -6
  34. data/lib/aws-sdk-ssooidc/endpoints.rb +2 -42
  35. data/lib/aws-sdk-ssooidc/plugins/endpoints.rb +1 -14
  36. data/lib/aws-sdk-ssooidc.rb +1 -1
  37. data/lib/aws-sdk-sts/client.rb +208 -51
  38. data/lib/aws-sdk-sts/client_api.rb +23 -0
  39. data/lib/aws-sdk-sts/endpoint_parameters.rb +10 -9
  40. data/lib/aws-sdk-sts/endpoints.rb +2 -94
  41. data/lib/aws-sdk-sts/plugins/endpoints.rb +1 -22
  42. data/lib/aws-sdk-sts/types.rb +170 -27
  43. data/lib/aws-sdk-sts.rb +1 -1
  44. metadata +5 -5
@@ -460,8 +460,8 @@ module Aws::STS
460
460
  # token. Typically, you use `AssumeRole` within your account or for
461
461
  # cross-account access. For a comparison of `AssumeRole` with other API
462
462
  # operations that produce temporary credentials, see [Requesting
463
- # Temporary Security Credentials][1] and [Comparing the Amazon Web
464
- # Services STS API operations][2] in the *IAM User Guide*.
463
+ # Temporary Security Credentials][1] and [Compare STS credentials][2] in
464
+ # the *IAM User Guide*.
465
465
  #
466
466
  # **Permissions**
467
467
  #
@@ -470,9 +470,9 @@ module Aws::STS
470
470
  # following exception: You cannot call the Amazon Web Services STS
471
471
  # `GetFederationToken` or `GetSessionToken` API operations.
472
472
  #
473
- # (Optional) You can pass inline or managed [session policies][3] to
474
- # this operation. You can pass a single JSON policy document to use as
475
- # an inline session policy. You can also specify up to 10 managed policy
473
+ # (Optional) You can pass inline or managed session policies to this
474
+ # operation. You can pass a single JSON policy document to use as an
475
+ # inline session policy. You can also specify up to 10 managed policy
476
476
  # Amazon Resource Names (ARNs) to use as managed session policies. The
477
477
  # plaintext that you use for both inline and managed session policies
478
478
  # can't exceed 2,048 characters. Passing policies to this operation
@@ -545,7 +545,7 @@ module Aws::STS
545
545
  # denied. The condition in a trust policy that tests for MFA
546
546
  # authentication might look like the following example.
547
547
  #
548
- # `"Condition": \{"Bool": \{"aws:MultiFactorAuthPresent": true\}\}`
548
+ # `"Condition": {"Bool": {"aws:MultiFactorAuthPresent": true}}`
549
549
  #
550
550
  # For more information, see [Configuring MFA-Protected API Access][8] in
551
551
  # the *IAM User Guide* guide.
@@ -558,7 +558,7 @@ module Aws::STS
558
558
  #
559
559
  #
560
560
  # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
561
- # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
561
+ # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_sts-comparison.html
562
562
  # [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
563
563
  # [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html
564
564
  # [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
@@ -581,11 +581,22 @@ module Aws::STS
581
581
  # credentials will expose the role session name to the external account
582
582
  # in their CloudTrail logs.
583
583
  #
584
+ # For security purposes, administrators can view this field in
585
+ # [CloudTrail logs][1] to help identify who performed an action in
586
+ # Amazon Web Services. Your administrator might require that you specify
587
+ # your user name as the session name when you assume the role. For more
588
+ # information, see [ `sts:RoleSessionName` ][2].
589
+ #
584
590
  # The regex used to validate this parameter is a string of characters
585
591
  # consisting of upper- and lower-case alphanumeric characters with no
586
592
  # spaces. You can also include underscores or any of the following
587
593
  # characters: =,.@-
588
594
  #
595
+ #
596
+ #
597
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html#cloudtrail-integration_signin-tempcreds
598
+ # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html#ck_rolesessionname
599
+ #
589
600
  # @option params [Array<Types::PolicyDescriptorType>] :policy_arns
590
601
  # The Amazon Resource Names (ARNs) of the IAM managed policies that you
591
602
  # want to use as managed session policies. The policies must exist in
@@ -651,6 +662,9 @@ module Aws::STS
651
662
  #
652
663
  # </note>
653
664
  #
665
+ # For more information about role session permissions, see [Session
666
+ # policies][1].
667
+ #
654
668
  #
655
669
  #
656
670
  # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
@@ -673,9 +687,8 @@ module Aws::STS
673
687
  # depending on the maximum session duration setting for your role.
674
688
  # However, if you assume a role using role chaining and provide a
675
689
  # `DurationSeconds` parameter value greater than one hour, the operation
676
- # fails. To learn how to view the maximum value for your role, see [View
677
- # the Maximum Session Duration Setting for a Role][1] in the *IAM User
678
- # Guide*.
690
+ # fails. To learn how to view the maximum value for your role, see
691
+ # [Update the maximum session duration for a role][1].
679
692
  #
680
693
  # By default, the value is set to `3600` seconds.
681
694
  #
@@ -691,7 +704,7 @@ module Aws::STS
691
704
  #
692
705
  #
693
706
  #
694
- # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
707
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_update-role-settings.html#id_roles_update-session-duration
695
708
  # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html
696
709
  #
697
710
  # @option params [Array<Types::Tag>] :tags
@@ -744,9 +757,8 @@ module Aws::STS
744
757
  # passes to subsequent sessions in a role chain. For more information,
745
758
  # see [Chaining Roles with Session Tags][1] in the *IAM User Guide*.
746
759
  #
747
- # This parameter is optional. When you set session tags as transitive,
748
- # the session policy and session tags packed binary limit is not
749
- # affected.
760
+ # This parameter is optional. The transitive status of a session tag
761
+ # does not impact its packed binary size.
750
762
  #
751
763
  # If you choose not to specify a transitive tag key, then no tags are
752
764
  # passed from this session to any subsequent sessions.
@@ -804,16 +816,17 @@ module Aws::STS
804
816
  #
805
817
  # @option params [String] :source_identity
806
818
  # The source identity specified by the principal that is calling the
807
- # `AssumeRole` operation.
819
+ # `AssumeRole` operation. The source identity value persists across
820
+ # [chained role][1] sessions.
808
821
  #
809
822
  # You can require users to specify a source identity when they assume a
810
- # role. You do this by using the `sts:SourceIdentity` condition key in a
811
- # role trust policy. You can use source identity information in
823
+ # role. You do this by using the [ `sts:SourceIdentity` ][2] condition
824
+ # key in a role trust policy. You can use source identity information in
812
825
  # CloudTrail logs to determine who took actions with a role. You can use
813
826
  # the `aws:SourceIdentity` condition key to further control access to
814
827
  # Amazon Web Services resources based on the value of source identity.
815
828
  # For more information about using source identity, see [Monitor and
816
- # control actions taken with assumed roles][1] in the *IAM User Guide*.
829
+ # control actions taken with assumed roles][3] in the *IAM User Guide*.
817
830
  #
818
831
  # The regex used to validate this parameter is a string of characters
819
832
  # consisting of upper- and lower-case alphanumeric characters with no
@@ -823,7 +836,9 @@ module Aws::STS
823
836
  #
824
837
  #
825
838
  #
826
- # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
839
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html#iam-term-role-chaining
840
+ # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceidentity
841
+ # [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
827
842
  #
828
843
  # @option params [Array<Types::ProvidedContext>] :provided_contexts
829
844
  # A list of previously acquired trusted context assertions in the format
@@ -834,7 +849,7 @@ module Aws::STS
834
849
  # a single trusted context assertion and the ARN of the context provider
835
850
  # from which the trusted context assertion was generated.
836
851
  #
837
- # `[\{"ProviderArn":"arn:aws:iam::aws:contextProvider/IdentityCenter","ContextAssertion":"trusted-context-assertion"\}]`
852
+ # `[{"ProviderArn":"arn:aws:iam::aws:contextProvider/IdentityCenter","ContextAssertion":"trusted-context-assertion"}]`
838
853
  #
839
854
  # @return [Types::AssumeRoleResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
840
855
  #
@@ -944,8 +959,8 @@ module Aws::STS
944
959
  # user-specific credentials or configuration. For a comparison of
945
960
  # `AssumeRoleWithSAML` with the other API operations that produce
946
961
  # temporary credentials, see [Requesting Temporary Security
947
- # Credentials][1] and [Comparing the Amazon Web Services STS API
948
- # operations][2] in the *IAM User Guide*.
962
+ # Credentials][1] and [Compare STS credentials][2] in the *IAM User
963
+ # Guide*.
949
964
  #
950
965
  # The temporary security credentials returned by this operation consist
951
966
  # of an access key ID, a secret access key, and a security token.
@@ -1075,7 +1090,7 @@ module Aws::STS
1075
1090
  #
1076
1091
  #
1077
1092
  # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
1078
- # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
1093
+ # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_sts-comparison.html
1079
1094
  # [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
1080
1095
  # [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html
1081
1096
  # [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-role-chaining
@@ -1163,6 +1178,9 @@ module Aws::STS
1163
1178
  # the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
1164
1179
  # characters.
1165
1180
  #
1181
+ # For more information about role session permissions, see [Session
1182
+ # policies][1].
1183
+ #
1166
1184
  # <note markdown="1"> An Amazon Web Services conversion compresses the passed inline session
1167
1185
  # policy, managed policy ARNs, and session tags into a packed binary
1168
1186
  # format that has a separate limit. Your request can fail for this limit
@@ -1317,8 +1335,8 @@ module Aws::STS
1317
1335
  # a token from the web identity provider. For a comparison of
1318
1336
  # `AssumeRoleWithWebIdentity` with the other API operations that produce
1319
1337
  # temporary credentials, see [Requesting Temporary Security
1320
- # Credentials][4] and [Comparing the Amazon Web Services STS API
1321
- # operations][5] in the *IAM User Guide*.
1338
+ # Credentials][4] and [Compare STS credentials][5] in the *IAM User
1339
+ # Guide*.
1322
1340
  #
1323
1341
  # The temporary security credentials returned by this API consist of an
1324
1342
  # access key ID, a secret access key, and a security token. Applications
@@ -1333,9 +1351,9 @@ module Aws::STS
1333
1351
  # your session. You can provide a value from 900 seconds (15 minutes) up
1334
1352
  # to the maximum session duration setting for the role. This setting can
1335
1353
  # have a value from 1 hour to 12 hours. To learn how to view the maximum
1336
- # value for your role, see [View the Maximum Session Duration Setting
1337
- # for a Role][6] in the *IAM User Guide*. The maximum session duration
1338
- # limit applies when you use the `AssumeRole*` API operations or the
1354
+ # value for your role, see [Update the maximum session duration for a
1355
+ # role ][6] in the *IAM User Guide*. The maximum session duration limit
1356
+ # applies when you use the `AssumeRole*` API operations or the
1339
1357
  # `assume-role*` CLI commands. However the limit does not apply when you
1340
1358
  # use those operations to create a console URL. For more information,
1341
1359
  # see [Using IAM Roles][7] in the *IAM User Guide*.
@@ -1413,35 +1431,26 @@ module Aws::STS
1413
1431
  # instead use a GUID or a pairwise identifier, as [suggested in the OIDC
1414
1432
  # specification][14].
1415
1433
  #
1416
- # For more information about how to use web identity federation and the
1434
+ # For more information about how to use OIDC federation and the
1417
1435
  # `AssumeRoleWithWebIdentity` API, see the following resources:
1418
1436
  #
1419
1437
  # * [Using Web Identity Federation API Operations for Mobile Apps][15]
1420
1438
  # and [Federation Through a Web-based Identity Provider][16].
1421
1439
  #
1422
- # * [ Web Identity Federation Playground][17]. Walk through the process
1423
- # of authenticating through Login with Amazon, Facebook, or Google,
1424
- # getting temporary security credentials, and then using those
1425
- # credentials to make a request to Amazon Web Services.
1426
- #
1427
1440
  # * [Amazon Web Services SDK for iOS Developer Guide][2] and [Amazon Web
1428
1441
  # Services SDK for Android Developer Guide][3]. These toolkits contain
1429
1442
  # sample apps that show how to invoke the identity providers. The
1430
1443
  # toolkits then show how to use the information from these providers
1431
1444
  # to get and use temporary security credentials.
1432
1445
  #
1433
- # * [Web Identity Federation with Mobile Applications][18]. This article
1434
- # discusses web identity federation and shows an example of how to use
1435
- # web identity federation to get access to content in Amazon S3.
1436
- #
1437
1446
  #
1438
1447
  #
1439
1448
  # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-identity.html
1440
1449
  # [2]: http://aws.amazon.com/sdkforios/
1441
1450
  # [3]: http://aws.amazon.com/sdkforandroid/
1442
1451
  # [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
1443
- # [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
1444
- # [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
1452
+ # [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_sts-comparison.html
1453
+ # [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_update-role-settings.html#id_roles_update-session-duration
1445
1454
  # [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html
1446
1455
  # [8]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
1447
1456
  # [9]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
@@ -1452,13 +1461,29 @@ module Aws::STS
1452
1461
  # [14]: http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes
1453
1462
  # [15]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_manual.html
1454
1463
  # [16]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity
1455
- # [17]: https://aws.amazon.com/blogs/aws/the-aws-web-identity-federation-playground/
1456
- # [18]: http://aws.amazon.com/articles/web-identity-federation-with-mobile-applications
1457
1464
  #
1458
1465
  # @option params [required, String] :role_arn
1459
1466
  # The Amazon Resource Name (ARN) of the role that the caller is
1460
1467
  # assuming.
1461
1468
  #
1469
+ # <note markdown="1"> Additional considerations apply to Amazon Cognito identity pools that
1470
+ # assume [cross-account IAM roles][1]. The trust policies of these roles
1471
+ # must accept the `cognito-identity.amazonaws.com` service principal and
1472
+ # must contain the `cognito-identity.amazonaws.com:aud` condition key to
1473
+ # restrict role assumption to users from your intended identity pools. A
1474
+ # policy that trusts Amazon Cognito identity pools without this
1475
+ # condition creates a risk that a user from an unintended identity pool
1476
+ # can assume the role. For more information, see [ Trust policies for
1477
+ # IAM roles in Basic (Classic) authentication ][2] in the *Amazon
1478
+ # Cognito Developer Guide*.
1479
+ #
1480
+ # </note>
1481
+ #
1482
+ #
1483
+ #
1484
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-cross-account-resource-access.html
1485
+ # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/iam-roles.html#trust-policies
1486
+ #
1462
1487
  # @option params [required, String] :role_session_name
1463
1488
  # An identifier for the assumed role session. Typically, you pass the
1464
1489
  # name or identifier that is associated with the user who is using your
@@ -1467,18 +1492,30 @@ module Aws::STS
1467
1492
  # is included as part of the ARN and assumed role ID in the
1468
1493
  # `AssumedRoleUser` response element.
1469
1494
  #
1495
+ # For security purposes, administrators can view this field in
1496
+ # [CloudTrail logs][1] to help identify who performed an action in
1497
+ # Amazon Web Services. Your administrator might require that you specify
1498
+ # your user name as the session name when you assume the role. For more
1499
+ # information, see [ `sts:RoleSessionName` ][2].
1500
+ #
1470
1501
  # The regex used to validate this parameter is a string of characters
1471
1502
  # consisting of upper- and lower-case alphanumeric characters with no
1472
1503
  # spaces. You can also include underscores or any of the following
1473
1504
  # characters: =,.@-
1474
1505
  #
1506
+ #
1507
+ #
1508
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html#cloudtrail-integration_signin-tempcreds
1509
+ # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html#ck_rolesessionname
1510
+ #
1475
1511
  # @option params [required, String] :web_identity_token
1476
1512
  # The OAuth 2.0 access token or OpenID Connect ID token that is provided
1477
1513
  # by the identity provider. Your application must get this token by
1478
1514
  # authenticating the user who is using your application with a web
1479
1515
  # identity provider before the application makes an
1480
- # `AssumeRoleWithWebIdentity` call. Only tokens with RSA algorithms
1481
- # (RS256) are supported.
1516
+ # `AssumeRoleWithWebIdentity` call. Timestamps in the token must be
1517
+ # formatted as either an integer or a long integer. Only tokens with RSA
1518
+ # algorithms (RS256) are supported.
1482
1519
  #
1483
1520
  # @option params [String] :provider_id
1484
1521
  # The fully qualified host component of the domain name of the OAuth 2.0
@@ -1547,6 +1584,9 @@ module Aws::STS
1547
1584
  # the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
1548
1585
  # characters.
1549
1586
  #
1587
+ # For more information about role session permissions, see [Session
1588
+ # policies][1].
1589
+ #
1550
1590
  # <note markdown="1"> An Amazon Web Services conversion compresses the passed inline session
1551
1591
  # policy, managed policy ARNs, and session tags into a packed binary
1552
1592
  # format that has a separate limit. Your request can fail for this limit
@@ -1667,6 +1707,123 @@ module Aws::STS
1667
1707
  req.send_request(options)
1668
1708
  end
1669
1709
 
1710
+ # Returns a set of short term credentials you can use to perform
1711
+ # privileged tasks in a member account.
1712
+ #
1713
+ # Before you can launch a privileged session, you must have enabled
1714
+ # centralized root access in your organization. For steps to enable this
1715
+ # feature, see [Centralize root access for member accounts][1] in the
1716
+ # *IAM User Guide*.
1717
+ #
1718
+ # <note markdown="1"> The global endpoint is not supported for AssumeRoot. You must send
1719
+ # this request to a Regional STS endpoint. For more information, see
1720
+ # [Endpoints][2].
1721
+ #
1722
+ # </note>
1723
+ #
1724
+ # You can track AssumeRoot in CloudTrail logs to determine what actions
1725
+ # were performed in a session. For more information, see [Track
1726
+ # privileged tasks in CloudTrail][3] in the *IAM User Guide*.
1727
+ #
1728
+ #
1729
+ #
1730
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-enable-root-access.html
1731
+ # [2]: https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html#sts-endpoints
1732
+ # [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-track-privileged-tasks.html
1733
+ #
1734
+ # @option params [required, String] :target_principal
1735
+ # The member account principal ARN or account ID.
1736
+ #
1737
+ # @option params [required, Types::PolicyDescriptorType] :task_policy_arn
1738
+ # The identity based policy that scopes the session to the privileged
1739
+ # tasks that can be performed. You can use one of following Amazon Web
1740
+ # Services managed policies to scope root session actions. You can add
1741
+ # additional customer managed policies to further limit the permissions
1742
+ # for the root session.
1743
+ #
1744
+ # * [IAMAuditRootUserCredentials][1]
1745
+ #
1746
+ # * [IAMCreateRootUserPassword][2]
1747
+ #
1748
+ # * [IAMDeleteRootUserCredentials][3]
1749
+ #
1750
+ # * [S3UnlockBucketPolicy][4]
1751
+ #
1752
+ # * [SQSUnlockQueuePolicy][5]
1753
+ #
1754
+ #
1755
+ #
1756
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/security-iam-awsmanpol.html#security-iam-awsmanpol-IAMAuditRootUserCredentials
1757
+ # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/security-iam-awsmanpol.html#security-iam-awsmanpol-IAMCreateRootUserPassword
1758
+ # [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/security-iam-awsmanpol.html#security-iam-awsmanpol-IAMDeleteRootUserCredentials
1759
+ # [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/security-iam-awsmanpol.html#security-iam-awsmanpol-S3UnlockBucketPolicy
1760
+ # [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/security-iam-awsmanpol.html#security-iam-awsmanpol-SQSUnlockQueuePolicy
1761
+ #
1762
+ # @option params [Integer] :duration_seconds
1763
+ # The duration, in seconds, of the privileged session. The value can
1764
+ # range from 0 seconds up to the maximum session duration of 900 seconds
1765
+ # (15 minutes). If you specify a value higher than this setting, the
1766
+ # operation fails.
1767
+ #
1768
+ # By default, the value is set to `900` seconds.
1769
+ #
1770
+ # @return [Types::AssumeRootResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
1771
+ #
1772
+ # * {Types::AssumeRootResponse#credentials #credentials} => Types::Credentials
1773
+ # * {Types::AssumeRootResponse#source_identity #source_identity} => String
1774
+ #
1775
+ #
1776
+ # @example Example: To launch a privileged session
1777
+ #
1778
+ # # The following command retrieves a set of short-term credentials you can use to unlock an S3 bucket for a member account
1779
+ # # by removing the bucket policy.
1780
+ #
1781
+ # resp = client.assume_root({
1782
+ # duration_seconds: 900,
1783
+ # target_principal: "111122223333",
1784
+ # task_policy_arn: {
1785
+ # arn: "arn:aws:iam::aws:policy/root-task/S3UnlockBucketPolicy",
1786
+ # },
1787
+ # })
1788
+ #
1789
+ # resp.to_h outputs the following:
1790
+ # {
1791
+ # credentials: {
1792
+ # access_key_id: "ASIAJEXAMPLEXEG2JICEA",
1793
+ # expiration: Time.parse("2024-11-15T00:05:07Z"),
1794
+ # secret_access_key: "9drTJvcXLB89EXAMPLELB8923FB892xMFI",
1795
+ # session_token: "AQoXdzELDDY//////////wEaoAK1wvxJY12r2IrDFT2IvAzTCn3zHoZ7YNtpiQLF0MqZye/qwjzP2iEXAMPLEbw/m3hsj8VBTkPORGvr9jM5sgP+w9IZWZnU+LWhmg+a5fDi2oTGUYcdg9uexQ4mtCHIHfi4citgqZTgco40Yqr4lIlo4V2b2Dyauk0eYFNebHtYlFVgAUj+7Indz3LU0aTWk1WKIjHmmMCIoTkyYp/k7kUG7moeEYKSitwQIi6Gjn+nyzM+PtoA3685ixzv0R7i5rjQi0YE0lf1oeie3bDiNHncmzosRM6SFiPzSvp6h/32xQuZsjcypmwsPSDtTPYcs0+YN/8BRi2/IcrxSpnWEXAMPLEXSDFTAQAM6Dl9zR0tXoybnlrZIwMLlMi1Kcgo5OytwU=",
1796
+ # },
1797
+ # source_identity: "Alice",
1798
+ # }
1799
+ #
1800
+ # @example Request syntax with placeholder values
1801
+ #
1802
+ # resp = client.assume_root({
1803
+ # target_principal: "TargetPrincipalType", # required
1804
+ # task_policy_arn: { # required
1805
+ # arn: "arnType",
1806
+ # },
1807
+ # duration_seconds: 1,
1808
+ # })
1809
+ #
1810
+ # @example Response structure
1811
+ #
1812
+ # resp.credentials.access_key_id #=> String
1813
+ # resp.credentials.secret_access_key #=> String
1814
+ # resp.credentials.session_token #=> String
1815
+ # resp.credentials.expiration #=> Time
1816
+ # resp.source_identity #=> String
1817
+ #
1818
+ # @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoot AWS API Documentation
1819
+ #
1820
+ # @overload assume_root(params = {})
1821
+ # @param [Hash] params ({})
1822
+ def assume_root(params = {}, options = {})
1823
+ req = build_request(:assume_root, params)
1824
+ req.send_request(options)
1825
+ end
1826
+
1670
1827
  # Decodes additional information about the authorization status of a
1671
1828
  # request from an encoded message returned in response to an Amazon Web
1672
1829
  # Services request.
@@ -1905,8 +2062,8 @@ module Aws::STS
1905
2062
  # usually in a server-based application. For a comparison of
1906
2063
  # `GetFederationToken` with the other API operations that produce
1907
2064
  # temporary credentials, see [Requesting Temporary Security
1908
- # Credentials][1] and [Comparing the Amazon Web Services STS API
1909
- # operations][2] in the *IAM User Guide*.
2065
+ # Credentials][1] and [Compare STS credentials][2] in the *IAM User
2066
+ # Guide*.
1910
2067
  #
1911
2068
  # Although it is possible to call `GetFederationToken` using the
1912
2069
  # security credentials of an Amazon Web Services account root user
@@ -2003,7 +2160,7 @@ module Aws::STS
2003
2160
  #
2004
2161
  #
2005
2162
  # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
2006
- # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
2163
+ # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_sts-comparison.html
2007
2164
  # [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials
2008
2165
  # [4]: http://aws.amazon.com/cognito/
2009
2166
  # [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity
@@ -2255,8 +2412,8 @@ module Aws::STS
2255
2412
  # An incorrect MFA code causes the API to return an access denied error.
2256
2413
  # For a comparison of `GetSessionToken` with the other API operations
2257
2414
  # that produce temporary credentials, see [Requesting Temporary Security
2258
- # Credentials][1] and [Comparing the Amazon Web Services STS API
2259
- # operations][2] in the *IAM User Guide*.
2415
+ # Credentials][1] and [Compare STS credentials][2] in the *IAM User
2416
+ # Guide*.
2260
2417
  #
2261
2418
  # <note markdown="1"> No permissions are required for users to perform this operation. The
2262
2419
  # purpose of the `sts:GetSessionToken` operation is to authenticate the
@@ -2311,7 +2468,7 @@ module Aws::STS
2311
2468
  #
2312
2469
  #
2313
2470
  # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
2314
- # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
2471
+ # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_sts-comparison.html
2315
2472
  # [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getsessiontoken.html
2316
2473
  # [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials
2317
2474
  # [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getsessiontoken
@@ -2416,7 +2573,7 @@ module Aws::STS
2416
2573
  tracer: tracer
2417
2574
  )
2418
2575
  context[:gem_name] = 'aws-sdk-core'
2419
- context[:gem_version] = '3.209.1'
2576
+ context[:gem_version] = '3.214.0'
2420
2577
  Seahorse::Client::Request.new(handlers, context)
2421
2578
  end
2422
2579
 
@@ -20,6 +20,8 @@ module Aws::STS
20
20
  AssumeRoleWithSAMLResponse = Shapes::StructureShape.new(name: 'AssumeRoleWithSAMLResponse')
21
21
  AssumeRoleWithWebIdentityRequest = Shapes::StructureShape.new(name: 'AssumeRoleWithWebIdentityRequest')
22
22
  AssumeRoleWithWebIdentityResponse = Shapes::StructureShape.new(name: 'AssumeRoleWithWebIdentityResponse')
23
+ AssumeRootRequest = Shapes::StructureShape.new(name: 'AssumeRootRequest')
24
+ AssumeRootResponse = Shapes::StructureShape.new(name: 'AssumeRootResponse')
23
25
  AssumedRoleUser = Shapes::StructureShape.new(name: 'AssumedRoleUser')
24
26
  Audience = Shapes::StringShape.new(name: 'Audience')
25
27
  Credentials = Shapes::StructureShape.new(name: 'Credentials')
@@ -47,10 +49,12 @@ module Aws::STS
47
49
  ProvidedContext = Shapes::StructureShape.new(name: 'ProvidedContext')
48
50
  ProvidedContextsListType = Shapes::ListShape.new(name: 'ProvidedContextsListType')
49
51
  RegionDisabledException = Shapes::StructureShape.new(name: 'RegionDisabledException', error: {"code"=>"RegionDisabledException", "httpStatusCode"=>403, "senderFault"=>true})
52
+ RootDurationSecondsType = Shapes::IntegerShape.new(name: 'RootDurationSecondsType')
50
53
  SAMLAssertionType = Shapes::StringShape.new(name: 'SAMLAssertionType')
51
54
  Subject = Shapes::StringShape.new(name: 'Subject')
52
55
  SubjectType = Shapes::StringShape.new(name: 'SubjectType')
53
56
  Tag = Shapes::StructureShape.new(name: 'Tag')
57
+ TargetPrincipalType = Shapes::StringShape.new(name: 'TargetPrincipalType')
54
58
  accessKeyIdType = Shapes::StringShape.new(name: 'accessKeyIdType')
55
59
  accessKeySecretType = Shapes::StringShape.new(name: 'accessKeySecretType')
56
60
  accountType = Shapes::StringShape.new(name: 'accountType')
@@ -148,6 +152,15 @@ module Aws::STS
148
152
  AssumeRoleWithWebIdentityResponse.add_member(:source_identity, Shapes::ShapeRef.new(shape: sourceIdentityType, location_name: "SourceIdentity"))
149
153
  AssumeRoleWithWebIdentityResponse.struct_class = Types::AssumeRoleWithWebIdentityResponse
150
154
 
155
+ AssumeRootRequest.add_member(:target_principal, Shapes::ShapeRef.new(shape: TargetPrincipalType, required: true, location_name: "TargetPrincipal"))
156
+ AssumeRootRequest.add_member(:task_policy_arn, Shapes::ShapeRef.new(shape: PolicyDescriptorType, required: true, location_name: "TaskPolicyArn"))
157
+ AssumeRootRequest.add_member(:duration_seconds, Shapes::ShapeRef.new(shape: RootDurationSecondsType, location_name: "DurationSeconds"))
158
+ AssumeRootRequest.struct_class = Types::AssumeRootRequest
159
+
160
+ AssumeRootResponse.add_member(:credentials, Shapes::ShapeRef.new(shape: Credentials, location_name: "Credentials"))
161
+ AssumeRootResponse.add_member(:source_identity, Shapes::ShapeRef.new(shape: sourceIdentityType, location_name: "SourceIdentity"))
162
+ AssumeRootResponse.struct_class = Types::AssumeRootResponse
163
+
151
164
  AssumedRoleUser.add_member(:assumed_role_id, Shapes::ShapeRef.new(shape: assumedRoleIdType, required: true, location_name: "AssumedRoleId"))
152
165
  AssumedRoleUser.add_member(:arn, Shapes::ShapeRef.new(shape: arnType, required: true, location_name: "Arn"))
153
166
  AssumedRoleUser.struct_class = Types::AssumedRoleUser
@@ -308,6 +321,16 @@ module Aws::STS
308
321
  o.errors << Shapes::ShapeRef.new(shape: RegionDisabledException)
309
322
  end)
310
323
 
324
+ api.add_operation(:assume_root, Seahorse::Model::Operation.new.tap do |o|
325
+ o.name = "AssumeRoot"
326
+ o.http_method = "POST"
327
+ o.http_request_uri = "/"
328
+ o.input = Shapes::ShapeRef.new(shape: AssumeRootRequest)
329
+ o.output = Shapes::ShapeRef.new(shape: AssumeRootResponse)
330
+ o.errors << Shapes::ShapeRef.new(shape: RegionDisabledException)
331
+ o.errors << Shapes::ShapeRef.new(shape: ExpiredTokenException)
332
+ end)
333
+
311
334
  api.add_operation(:decode_authorization_message, Seahorse::Model::Operation.new.tap do |o|
312
335
  o.name = "DecodeAuthorizationMessage"
313
336
  o.http_method = "POST"
@@ -59,20 +59,21 @@ module Aws::STS
59
59
  self[:region] = options[:region]
60
60
  self[:use_dual_stack] = options[:use_dual_stack]
61
61
  self[:use_dual_stack] = false if self[:use_dual_stack].nil?
62
- if self[:use_dual_stack].nil?
63
- raise ArgumentError, "Missing required EndpointParameter: :use_dual_stack"
64
- end
65
62
  self[:use_fips] = options[:use_fips]
66
63
  self[:use_fips] = false if self[:use_fips].nil?
67
- if self[:use_fips].nil?
68
- raise ArgumentError, "Missing required EndpointParameter: :use_fips"
69
- end
70
64
  self[:endpoint] = options[:endpoint]
71
65
  self[:use_global_endpoint] = options[:use_global_endpoint]
72
66
  self[:use_global_endpoint] = false if self[:use_global_endpoint].nil?
73
- if self[:use_global_endpoint].nil?
74
- raise ArgumentError, "Missing required EndpointParameter: :use_global_endpoint"
75
- end
67
+ end
68
+
69
+ def self.create(config, options={})
70
+ new({
71
+ region: config.region,
72
+ use_dual_stack: config.use_dualstack_endpoint,
73
+ use_fips: config.use_fips_endpoint,
74
+ endpoint: (config.endpoint.to_s unless config.regional_endpoint),
75
+ use_global_endpoint: config.sts_regional_endpoints == 'legacy',
76
+ }.merge(options))
76
77
  end
77
78
  end
78
79
  end